According to a press release, the offices of Paul C. Brown, M.D., P.S., were broken into and equipment stolen. Among the stolen goods: CDs with patient data. Based on the fact that the doctor is issuing a press release, it’s obvious that data encryption software like AlertBoot wasn’t used. Or is it?
Over 500 Patients Affected?
The thieves broke into the office on October 14, 2011, a Friday. The burglary was discovered and reported to the police on October 17, a Monday. Notification letters were sent on December 13.
The stolen information on the CDs includes patient names, SSNs, dates of birth, home addresses, diagnoses, lab results, medications, surgery records, and other information. The information ranges from 1993 to 2004. It wasn’t mentioned how many patients were affected.
Based on the above, I think we can assume that over 500 people were affected by this breach and that encryption software was not used to protect patient data, since the patterns appear to be following HIPAA / HITECH breach guidelines:
- 57 days. That’s how long it took between finding the data breach and sending out the notification letters to affected patients. The Breach Notification Rule under HIPAA requires that patients be notified in 60 calendar days or less.
- Encryption provides safe harbor. The Breach Notification Rule is very clear: if protected health information (PHI) is breached, the covered-entity must notify patients. The only exception is if the information was properly encrypted. The fact that letters were sent and a press release was issued strongly suggests that encryption was not used.
- Press release issued. The Breach Notification Rule also requires the issuance of a press release if more than 500 people are affected by the breach, or if not all patients can be contacted directly. However, seeing how the records span 10+ years, it’s more likely that over 500 people were affected.
Based on my internet search, it looks like Dr. Brown specializes in general and colorectal surgery (which also reveals that an overwhelming majority of patients would recommend Dr. Brown). Assuming the CD was a backup of his files, it would only take around 5 surgeries a month to surpass the 500 PHI level.
The Curious Incident of the Dog in the Night-Time
Taking into consideration the above, it’s strongly suggested that encryption wasn’t used. Or was it? I get the feeling that it was.
Gregory (Scotland Yard detective): “Is there any other point to which you would wish to draw my attention?”
Holmes: “To the curious incident of the dog in the night-time.”
Gregory: “The dog did nothing in the night-time.”
Holmes: “That was the curious incident.”
The above is an excerpt from a Sherlock Holmes story, “Silver Blaze.” Basically, it’s a lesson in paying attention to what happened as well as what didn’t happen. And there’s much to pay attention to in this regard.
Equipment was stolen from an office and we’re focusing on CDs. Why? Where’s the mention of computers? It makes no sense to have CDs if you don’t have a computer.
Seeing how nobody was aware of the burglary until two days later, it’s obvious that there wasn’t a security system in place. This means that the thieves had ample time to steal stuff, including computers, which probably would have stored patient information. Again, where’s the computer?
The implication is that the computer was protected with encryption software. If it was encrypted, you don’t need to report it. If you don’t need to report it, it doesn’t need to be the focus of a breach notification letter.
It kind of makes sense, too: if you found out that under HIPAA you’re being strongly urged to use disk encryption software and other data protection tools (with encryption being your only free “get out of jail” card), and you were a small practice with little security in place, it makes sense to use encryption. Of course, you forget about your backups because, who in the world steals CDs in this day and age?
The answer is identity thieves, but most people don’t take that into consideration. After all, who steals CDs?